users@javaee-spec.java.net

[javaee-spec users] Re: [jsr342-experts] Re: Configuring DENY semantic for uncovered HTTP Methods

From: Ron Monzillo <ron.monzillo_at_oracle.com>
Date: Tue, 18 Dec 2012 20:46:15 -0500

On 12/18/12 3:22 PM, Ron Monzillo wrote:
> On 12/18/12 6:37 AM, Pete Muir wrote:
>> Hi Bill,
>>
>> In general, it would be really helpful if you could upgrade the examples to show what effect the new element would have. IOW, provide an example of the problem today, and then how the new element fixes it.
> Hi Pete,
>
> When the flag, is set an additional constraint would be generated to
> apply
> a DENY semantic to the (presumably) uncovered methods.
>
> Example 1:
>
> original constraint:
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/a/b/c/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
> additional constraint (to deny all methods except GET and POST)
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/a/b/c/*</url-pattern>
> <http-method-omission>GET</http-method-omission>
> <http-method-omission>POST</http-method-omission>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
>
> Example 2:
>
> original constraint
>
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/d/e/f/*</url-pattern>
> <http-method-omission>GET</http-method-omission>
> <http-method-omission>POST</http-method-omission>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
In my haste to provide examples, I made a couple of errors.
the following should have read

additional constraint (to deny previously uncovered GET and POST)

> additional constraint (to allow GET and POST with no protection requirements)
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/d/e/f/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> Example 3 is analogous to example 1
and the following should have read

Example 4 is analogous to example 3
> Example 4 is analogous to example 2
sorry for the confusion.

Ron